The Cyber Resilience Act divides products with digital elements into four categories: Default, Important Class I, Important Class II, and Critical. The classification is not discretionary — it follows the product lists in Annex III (Part I for Class I, Part II for Class II) and Annex IV. Default products use Module A (internal control). Important Class I can use Module A only with harmonised standards. Important Class II and Critical require Notified Body involvement. CRACheck runs your product through both annexes, determines the category, and generates the 8 compliance documents in 15–25 minutes at €149.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
Annex III, Part I includes smart home products with security functionalities, industrial IoT devices, and products intended for use by children. A sensor connected to a network, collecting data in a home or industrial environment, may fall under Class I depending on its function and intended use.
Class I products can self-assess under Module A if they apply harmonised standards covering all essential requirements. Class II products cannot — they require Module B+C (EU-type examination + production control) or Module H (full quality assurance) involving a Notified Body. The cost and timeline differ by an order of magnitude.
Articles 7 and 8 of Regulation (EU) 2024/2847 empower the European Commission to adopt delegated acts amending Annex III and IV. The categories are legally defined, not approximate. A misclassification discovered by a market surveillance authority triggers corrective measures and potential fines under Art. 64.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
The primary deliverable. Determines your product's category based on Annex III (Part I: Class I, Part II: Class II) and Annex IV (Critical). Outputs the exact Annex entry matched, the applicable conformity assessment module, and whether Notified Body involvement is required.
Art. 31 + Annex VII package tailored to your classification.
Annex I, Part I + Part II cybersecurity risk assessment. Depth influenced by product classification.
Annex II instructions. Same structure regardless of classification.
Art. 28 + Annex V. References the conformity assessment module used.
Art. 13(6) coordinated vulnerability disclosure. Applies to all categories.
Art. 14 ENISA notification. Same structure for all categories. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Timelines including classification-specific milestones.
See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.
Generated from your data, in your browser. No data leaves your device.
CRACheck classifies your product against Annex III and Annex IV, determines the conformity assessment module under Art. 32, and generates 8 structured documents aligned to your category.
CRACheck does not issue binding classification opinions. It does not act as a Notified Body. It does not perform Module B, Module C, or Module H assessments. For Important Class II or Critical products, the Notified Body makes the final determination on conformity.
CRACheck gives you the classification analysis and the documentation foundation. The Notified Body — if required — evaluates against that foundation.
For placing a product on the market without the correct conformity assessment per Art. 32.
For non-compliance with documentation or classification obligations.
For providing misleading classification information to authorities or Notified Bodies.
| Criterion | Self-classification (manual) | Consultancy opinion | Notified Body pre-check | CRACheck |
|---|---|---|---|---|
| Classification output | Uncertain | Opinion letter | Informal guidance | Structured classifier |
| Documentation | Not included | Not included | Not included | 8 documents included |
| Cost | Staff time | €2K–€8K | €3K–€10K | €149 |
| Time | Variable | 2–6 weeks | 4–8 weeks | 15–25 min |
| CRACheck | Structured | 8 docs | €149 | 15-25 min |
If you manufacture both Default and Class I/II products, each needs its own classification and documentation. Pack pricing: €99/product (10), €79/product (30).
Request volume pricingCRACheck generates a structured document package according to Article 31 and Annex VII of Regulation (EU) 2024/2847 based on the information you enter. The classification output is determined by your declared product specifications. The accuracy of those declarations is your responsibility as the manufacturer.
We guarantee that the classification logic follows Annex III and Annex IV of Regulation (EU) 2024/2847 and that the conformity assessment module references follow Art. 32 + Annex VIII. We do not guarantee that a market surveillance authority or Notified Body will agree with a specific classification in a specific case.
CRACheck is not legal advice. For borderline classification cases, consult a specialised regulatory consultancy or contact your national market surveillance authority.
CRACheck auto-classifies your product against Annex III and IV and generates the full 8-document dossier. €149 per product.